DNS
Dymic Name System or Domain Name System
DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.
DNS Basics
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
DNS Recon
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:
host random.com |
That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records.
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:
host -tns random.com |
This would give return the dns servers for random.com, allowing you to do something like:
host -l random.com. ns75.worldnic.com |
In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:
outlookccc.wideopenwest.com has address 64.233.207.77 mail.outlookccc.wideopenwest.com has address 12.152.37.50 pop-13.wideopenwest.com has address 64.233.207.59 pop-14.wideopenwest.com has address 64.233.207.60 portal.wideopenwest.com has address 64.233.207.39 |
There are many useful free DNS utilities on the internet. One that in particular is endorsed by us is YouGetSignal, that tool specifically. Essentially, you enter a domain or an IP and it will return a list of domain names that point to the ip.
See protocols for more information.